Bruce Perens' Open Source Series Managing Linux Systems with Webmin: System Administration and Module Development Jamie Cameron Implementing CIFS: The Common Internet File System Christopher R Hertel Embedded Software Development with eCos Anthony J Massa The Linux Development Platform: Configuring, Using, and Maintaining a Complete Programming Environment Rafeeq Ur Rehman, Christopher Paul Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID Rafeeq Ur Rehman Chapter Introduction to Intrusion Detection and Snort Security is a big issue for all networks in today's enterprise environment Hackers and intruders have made many successful attempts to bring down high-profile company networks and web services Many methods have been developed to secure the network infrastructure and communication over the Internet, among them the use of firewalls, encryption, and virtual private networks Intrusion detection is a relatively new addition to such techniques Intrusion detection methods started appearing in the last few years Using intrusion detection methods, you can collect and use information from known types of attacks and find out if someone is trying to attack your network or particular hosts The information collected this way can be used to harden your network security, as well as for legal purposes Both commercial and open source products are now available for this purpose Many vulnerability assessment tools are also available in the market that can be used to assess different types of security holes present in your network A comprehensive security system consists of multiple tools, including: • • • Firewalls that are used to block unwanted incoming as well as outgoing traffic of data There is a range of firewall products available in the market both in Open Source and commercial products Most popular commercial firewall products are from Checkpoint (http://www.checkpoint.com), Cisco (http://www.cisco.com) and Netscreen (http://www.netscreen.com) The most popular Open Source firewall is the Netfilter/Iptables (http://www.netfilter.org)-based firewall Intrusion detection systems (IDS) that are used to find out if someone has gotten into or is trying to get into your network The most popular IDS is Snort, which is available at http://www.snort.org Vulnerability assessment tools that are used to find and plug security holes present in your network Information collected from vulnerability assessment tools is used to set rules on firewalls so that these security holes are safeguarded from malicious Internet users There are many vulnerability assessment tools including Nmap (http://www.nmap.org) and Nessus (http://www.nessus.org) These tools can work together and exchange information with each other Some products provide complete systems consisting of all of these products bundled together Snort is an open source Network Intrusion Detection System (NIDS) which is available free of cost NIDS is the type of Intrusion Detection System (IDS) that is used for scanning data flowing on the network There are also host-based intrusion detection systems, which are installed on a particular host and detect attacks targeted to that host only Although all intrusion detection methods are still new, Snort is ranked among the top quality systems available today The book starts with an introduction to intrusion detection and related terminology You will learn installation and management of Snort as well as other products that work with Snort These products include MySQL database (http://www.mysql.org) and Analysis Control for Intrusion Database (ACID) (http://www.cert.org/kb/acid) Snort has the capability to log data collected (such as alerts and other log messages) to a database MySQL is used as the database engine where all of this data is stored Using Apache web server (http://www.apache.org) and ACID, you can analyze this data A combination of Snort, Apache, MySQL, and ACID makes it possible to log the intrusion detection data into a database and then view and analyze it later, using a web interface This book is organized in such a way that the reader will be able to build a complete intrusion detection system by going through the following chapters in a step-by-step manner All steps of installing and integrating different tools are explained in the book as outlined below Chapter provides basic information about how to build and install Snort itself Using the basic installation and default rules, you will be able to get a working IDS You will be able to create log files that show intrusion activity Chapter provides information about Snort rules, different parts of Snort rules and how to write your own rules according to your environment and needs This chapter is very important, as writing good rules is the key to building a detection system The chapter also explains different rules that are part of Snort distribution Chapter is about input and output plug-ins Plug-ins are parts of the software that are compiled with Snort and are used to modify input or output of the Snort detection engine Input plug-ins prepare captured data packets before the actual detection process is applied on these packets Output plug-ins format output to be used for a particular purpose For example, an output plug-in can convert the detection data to a Simple Network Management Protocol (SNMP) trap Another output plug-in is used to log Snort output data into databases This chapter provides a comprehensive overview of how these plug-ins are configured and used Chapter provides information about using MySQL database with Snort MySQL plug-in enables Snort to log data into the database to be used in the analysis later on In this chapter you will find information about how to create a database in MySQL, configure a database plug-in, and log data to the database Chapter describes ACID, how to use it to get data from the database you configured in Chapter 5, and how to display it using Apache web server ACID is a very important tool that provides rich data analysis capabilities You can find frequency of attacks, classify different attacks, view the source of these attacks and so on ACID uses PHP (Pretty Home Page) scripting language, graphic display library (GD library) and PHPLOT, which is a tool to draw graphs A combination of all of these results in web pages that display, analyze and graph data stored in the MySQL database Chapter is devoted to information about some other useful tools that can be used with Snort The system that you will build after going through this book is displayed in Figure 1-1 with different components Figure 1-1 Block diagram of a complete network intrusion detection system consisting of Snort, MySQL, Apache, ACID, PHP, GD Library and PHPLOT As you can see, data is captured and analyzed by Snort Snort then stores this data in the MySQL database using the database output plug-in Apache web server takes help from ACID, PHP, GD library and PHPLOT package to display this data in a browser window when a user connects to Apache A user can then make different types of queries on the forms displayed in the web pages to analyze, archive, graph and delete data In essence, you can build a single computer with Snort, MySQL database, Apache, PHP, ACID, GD library and PHPLOT A more realistic picture of the system that you will be able to build after reading this book is shown in Figure 1-2 Figure 1-2 A network intrusion detection system with web interface In the enterprise, usually people have multiple Snort sensors behind every router or firewall In that case you can use a single centralized database to collect data from all of the sensors You can run Apache web server on this centralized database server as shown in Figure 1-3 Figure 1-3 Multiple Snort sensors in the enterprise logging to a centralized database server 1.1 What is Intrusion Detection? Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at the network and host level Intrusion detection systems fall into two basic categories: signature-based intrusion detection systems and anomaly detection systems Intruders have signatures, like computer viruses, that can be detected using software You try to find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols Based upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate alerts Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts In some cases these methods produce better results compared to signature-based IDS Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it Snort is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol headers Snort uses rules stored in text files that can be modified by a text editor Rules are grouped in categories Rules belonging to each category are stored in separate files These files are then included in a main configuration file called snort.conf Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data Finding signatures and using them in rules is a tricky job, since the more rules you use, the more processing power is required to process captured data in real time It is important to implement as many signatures as you can using as few rules as possible Snort comes with a rich set of pre- defined rules to detect intrusion activity and you are free to add your own rules at will You can also remove some of the built-in rules to avoid false alarms 1.1.1 Some Definitions Before we go into details of intrusion detection and Snort, you need to learn some definitions related to security These definitions will be used in this book repeatedly in the coming chapters A basic understanding of these terms is necessary to digest other complicated security concepts 1.1.1.1 IDS Intrusion Detection System or IDS is software, hardware or combination of both used to detect intruder activity Snort is an open source IDS available to the general public An IDS may have different capabilities depending upon how complex and sophisticated the components are IDS appliances that are a combination of hardware and software are available from many companies As mentioned earlier, an IDS may use signatures, anomaly-based techniques or both 1.1.1.2 Network IDS or NIDS NIDS are intrusion detection systems that capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database One major use of Snort is as a NIDS 1.1.1.3 Host IDS or HIDS Host-based intrusion detection systems or HIDS are installed as agents on a host These intrusion detection systems can look into system and application log files to detect any intruder activity Some of these systems are reactive, meaning that they inform you only when something has happened Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time 1.1.1.4 Signatures Signature is the pattern that you look for inside a data packet A signature is used to detect one or multiple types of attacks For example, the presence of "scripts/iisadmin" in a packet going to your web server may indicate an intruder activity Signatures may be present in different parts of a data packet depending upon the nature of the attack For example, you can find signatures in the IP header, transport layer header (TCP or UDP header) and/or application layer header or payload You will learn more about signatures later in this book Usually IDS depends upon signatures to find out about intruder activity Some vendor-specific IDS need updates from the vendor to add new signatures when a new type of attack is discovered In other IDS, like Snort, you can update signatures yourself 1.1.1.5 Alerts Alerts are any sort of user notification of an intruder activity When an IDS detects an intruder, it has to inform security administrator about this using alerts Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on Alerts are also stored in log files or databases where they can be viewed later on by security experts You will find detailed information about alerts later in this book Snort can generate alerts in many forms and are controlled by output plug-ins Snort can also send the same alert to multiple destinations For example, it is possible to log alerts into a database and generate SNMP traps simultaneously Some plug-ins can also modify firewall configuration so that offending hosts are blocked at the firewall or router level 1.1.1.6 Logs The log messages are usually saved in file By default Snort saves these messages under /var/log/snort directory However, the location of log messages can be changed using the command line switch when starting Snort Log messages can be saved either in text or binary format The binary files can be viewed later on using Snort or tcpdump program A new tool called Barnyard is also available now to analyze binary log files generated by Snort Logging in binary format is faster because it saves some formatting overhead In high-speed Snort implementations, logging in binary mode is necessary 1.1.1.7 False Alarms False alarms are alerts generated due to an indication that is not an intruder activity For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert Some routers, like Linksys home routers, generate lots of UPnP related alerts To avoid false alarms, you have to modify and tune different default rules In some cases you may need to disable some of the rules to avoid false alarms 1.1.1.8 Sensor The machine on which an intrusion detection system is running is also called the sensor in the literature because it is used to "sense" the network Later in this book if the word sensor is used, it refers to a computer or other device where Snort is running 1.1.2 Where IDS Should be Placed in Network Topology Depending upon your network topology, you may want to position intrusion detection systems at one or more places It also depends upon what type of intrusion activities you want to detect: internal, external or both For example, if you want to detect only external intrusion activities, and you have only one router connecting to the Internet, the best place for an intrusion detection system may be just inside the router or a firewall If you have multiple paths to the Internet, you may want to place one IDS box at every entry point However if you want to detect internal threats as well, you may want to place a box in every network segment In many cases you don't need to have intrusion detection activity in all network segments and you may want to limit it only to sensitive network areas Note that more intrusion detection systems mean more work and more maintenance costs Your decision really depends upon your security policy, which defines what you really want to protect from hackers Figure 1-4 shows typical locations where you can place an intrusion detection system Figure 1-4 Typical locations for an intrusion detection system As you can see from Figure 1-4, typically you should place an IDS behind each of your firewalls and routers In case your network contains a demilitarized zone (DMZ), an IDS may be placed in that zone as well However alert generation policy should not be as strict in a DMZ compared to private parts of the network 1.1.3 Honey Pots Honey pots are systems used to lure hackers by exposing known vulnerabilities deliberately Once a hacker finds a honey pot, it is more likely that the hacker will stick around for some time During this time you can log hacker activities to find out his/her actions and techniques Once you know these techniques, you can use this information later on to harden security on your actual servers There are different ways to build and place honey pots The honey pot should have common services running on it These common services include Telnet server (port 23), Hyper Text Transfer Protocol (HTTP) server (port 80), File Transfer Protocol (FTP) server (port 21) and so on You should place the honey pot somewhere close to your production server so that the hackers can easily take it for a real server For example, if your production servers have Internet Protocol (IP) addresses 192.168.10.21 and 192.168.10.23, you can assign an IP address of 192.168.10.22 to the honey pot You can also configure your firewall and/or router to redirect traffic on some ports to a honey pot where the intruder thinks that he/she is connecting to a real server You should be careful in creating an alert mechanism so that when your honey pot is compromised, you are notified immediately It is a good idea to keep log files on some other 10 mysql> insert into customers values ('Boota', '135 SB, Sargodha', '001-946-15', '1970-01-01'); Query OK, row affected (0.06 sec) mysql> Displaying Data in Tables The select command retrieves data from one or more tables In its simplest form, the following command displays all records in the customers table mysql> select * from customers; + -+ + + + | name | address | phone | dob | + -+ + + + | Boota | 135 SB, Sargodha | 001-946-15 | 1970-01-01 | + -+ + + + row in set (0.00 sec) mysql> For more information on the select command, use any SQL language reference Deleting Data from Tables The delete command removes data from the table The following command deletes records from the customer table where the name of the customer is Boota mysql> delete from customers where customers.name='Boota'; Query OK, row affected (0.00 sec) mysql> Switching from One Database to Another You can use the use commands to switch to another database The following command starts using mysql-test database mysql> use mysql-test Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> Creating a User The simplest way to create a user is to grant the user some access rights to a database If the user does not already exist, it will be created The following command creates a user rrehman and grants all access rights on the testdb database 200 mysql> grant all on testdb.* to rrehman; Query OK, rows affected (0.00 sec) mysql> This command creates a row in the user table in mysql database for user rrehman and grants permission for everything to user rrehman on database testdb Setting Password for a User You can assign a password to the user upon creation The following command creates a user rrehman and assigns a password boota grant all on testdb.* to rrehman identified by 'boota'; To assign a password later on, use the following command: mysql> set password for rrehman = password('kaka'); Query OK, rows affected (0.00 sec) mysql> Granting Permissions The grant command is used to grant different levels of permissions to users Refer to the following command where different permissions are assigned to a user rr on localhost mysql> grant CREATE,INSERT,DELETE,UPDATE,SELECT on snort.* to rr@localhost; Query OK, rows affected (0.00 sec) mysql> Using mysqladmin Utility The mysqladmin utility is used for database administration A complete discussion is beyond the scope of this book The following output of the command shows some of the tasks that it is capable of doing [root@conformix /root]# mysqladmin mysqladmin Ver 8.18 Distrib 3.23.36, for redhat-linux-gnu on i386 Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB This software comes with ABSOLUTELY NO WARRANTY This is free software, and you are welcome to modify and redistribute it under the GPL license Administration program for the mysqld daemon Usage: mysqladmin [OPTIONS] command command -#, debug= -f, force -?, help Output debug log Often this is 'd:t:o,filename` Don't ask for confirmation on drop database; with multiple commands, continue even if an error occurs Display this help and exit 201 character-sets-dir= Set the character set directory -C, compress Use compression in server/client protocol -h, host=# Connect to host -p, password[= ] Password to use when connecting to server If password is not given it's asked from the tty -P port= Port number to use for connection -i, sleep=sec Execute commands again and again with a sleep between -r, relative Show difference between current and previous values when used with -i Currently works only with extended-status -E, vertical Print output vertically Is similar to relative, but prints output vertically -s, silent Silently exit if one can't connect to server -S, socket= Socket file to use for connection -t, timeout= Timeout for connection to the mysqld server -u, user=# User for login if not current user -v, verbose Write more information -V, version Output version information and exit -w, wait[=retries] Wait and retry if connection is down Default options are read from the following files in the given order: /etc/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf The following groups are read: mysqladmin client The following options may be given as the first argument: print-defaults Print the program argument list and exit no-defaults Don't read default options from any options file defaults-file=# Only read default options from the given file # defaults-extra-file=# Read this file after the global files are read Possible variables for option set-variable (-O) are: connect_timeout current value: shutdown_timeout current value: 3600 Where command is a one or more of: (Commands may be shortened) create databasenameCreate a new database drop databasenameDelete a database and all its tables extended-status Gives an extended status message from the server flush-hosts Flush all cached hosts flush-logs Flush all logs flush-status Clear status variables flush-tables Flush all tables flush-threads Flush the thread cache flush-privileges Reload grant tables (same as reload) kill id,id, Kill mysql threads password new-password Change old password to new-password ping Check if mysqld is alive processlist Show list of active threads in server reload Reload grant tables refresh Flush all tables and close and open logfiles shutdown Take server down status Gives a short status message from the server start-slave Start slave stop-slave Stop slave variables Prints variables available version Get version info from server [root@conformix]# 202 You can use different options on the command line For example "mysqladmin version" will show the version number for the utility Appendix C Packet Header Formats Snort rules use the protocol type field to distinguish among different protocols Different header parts in packets are used to determine the type of protocol used in a packet In addition, rule options can test many of the header fields This appendix explains headers of different protocols These packet headers are explained in detail in RFCs Understanding different parts of these packet headers is very important for writing effective Snort rules IP Packet Header The basic IPv4 header consists of 20 bytes An options part may be present after these 20 bytes This optional part may be up to forty bytes long Structure of IP header is present in Figure C-1 Figure C-1 IP header Detailed information about the IP packet header can be found in RFC 791 which is available from ftp://ftp.isi.edu/in-notes/rfc791.txt and many other places including the RFC editor web site A brief explanation of different fields in the IP packet header is found in Table C-1 Table C-1 IP Packet Header Fields Field Explanation V Version number The value is for IPv4 Four bits are used for this part IHL This field shows length of IP packet header This is used to find out if the options part is present after the basic header Four bits are used for IHL and it shows length in 32-bit word length The value of this field for a basic 20-bytes header is TOS This field shows type of service used for this packet It is bits in length Total Length This field shows the length of the IP packet, including the data part It is 16 bits long ID This field packet identification number This part is 16 bits long 203 Table C-1 IP Packet Header Fields Field Explanation F This part is three bits long and it shows different flags used in the IP header Frag Offset This part is thirteen bits long and it shows fragment offset in case an IP packet is fragmented TTL This is time to live value It is eight bits long Protocol This part shows transport layer protocol number It is eight bits long Header Checksum This part shows header checksum, which is used to detect any error in the IP header This part is sixteen bits long Source Address This is the 32 bit long source IP address Destination Address This is the 32 bit long destination IP address ICMP Packet Header ICMP header is completely explained in RFC 792, which is available from ftp://ftp.isi.edu/innotes/rfc792.txt for download Figure C-2 shows basic structure of ICMP header Note that depending upon type of ICMP packet, this basic header is followed by different parts Figure C-2 Basic ICMP header An explanation of the fields in a basic ICMP header is provided in Table C-2 Table C-2 ICMP Packet Header Fields Field Explanation Type This part is bits long and shows the type of ICMP packet Code This part is also bits long and shows the sub-type or code number used for the packet Checksum This part is 16 bits long and is used to detect any errors in the ICMP packet The ICMP information part is variable depending upon the value of the type field For example, the ping command uses ICMP ECHO REQUEST type packet This packet header is shown in Figure C-3 204 Figure C-3 ICMP packet used in ping command For a complete list of ICMP packet types, refer to RFC 792 TCP Packet Header TCP packet header is discussed in detail in RFC 793 which is available at ftp://ftp.isi.edu/innotes/rfc793.txt for download Figure C-4 shows structure of TCP header Figure C-4 TCP header Different parts of TCP header are explained in Table C-3 Again for a detailed explanation of TCP, refer to the RFC 793 Table C-3 TCP Packet Header Fields Field Explanation Source Port This part is 16 bits long and shows source port number Destination Port This is a 16-bit long field and shows the destination port number Sequence Number This is the sequence number for the TCP packet It is 32 bits long It shows the sequence number of the first data octet in the packet However if SYN bit is set, this number shows the initial sequence number Acknowledgement Number This number is used for acknowledging packets It is 32 bits long This number shows the sequence number of the octet that the sender is expecting Offset This is a 4- bit field and shows the length of the TCP header Length is measured in 32-bit numbers Reserved Six bits are reserved Flags or Control bits The flags are six bits in length and are used for control purposes These bits are URG, ACK, PSH, RST, SYN and FIN A value of in any bit place indicates the flag is set 205 Table C-3 TCP Packet Header Fields Field Explanation Window This is 16 bits long and is used to tell the other side about the length of TCP window size Checksum This is a checksum for TCP header and data It is 16 bits long Urgent Pointer This field is used only when the URG flag is set It is 16 bits long Options This part is of variable length UDP Packet Header The UDP packet header is simple and is described in RFC 768 It has four fields as shown in Figure C-5 Each field is 16 bits long Names of all fields are self-explanatory Figure C-5 UDP packet header ARP Packet Header ARP packets are used to discover the hardware or MAC addresses when the IP address is known In any LAN, you will see a lot of ARP packets being transmitted This is because each host has to find out the MAC address of the destination host before sending data The ARP is a broadcast protocol and its packet header is shown in Figure C-6 Figure C-6 ARP header Different fields in the ARP packet header are described in Table C-4 Table C-4 ARP Packet Header Fields 206 Field Explanation HW Address Type The HW Address type is a 16 bit long field and it shows the type of hardware Since most of LANs are Ethernet-based, its value is For IEEE 802 networks, its value is For IPSec tunnel, the value is 31 Protocol Address Type The protocol address type shows the protocol used in the network layer The value of this field is 0x800 for IP HW Addr Len This field shows the length of the hardware address in number of bytes This field is bits long Proto Addr Length This field shows the length of the protocol address This field is also bits long Operation or Opcode This field is 16 bits long and is used for the type of ARP packet A value of indicates a request packet and a value of indicates a reply packet Source hardware address This is a 48 bit long field in the case of Ethernet However its length is variable Source protocol address This is a 32 bit field in the case of IPv4 packets However its length is variable Target hardware address This is 48 bits long in Ethernet and its length is variable Target protocol address This is 32 bits in the case of IPv4 and its length is variable Appendix D Glossary This appendix defines some of the most commonly used terms in this book Glossary Alert A message generated when any intruder activity is detected Alerts may be sent in many different forms, e.g., pop-up window, logging to screen, e-mail and so on DMZ 207 Demilitarized zone HIDS Host Intrusion Detection System A system that detects intruder activity for a host IDS Intrusion Detection System A system that detects any intruder activity Snort is an example of an IDS IDS Signature A pattern that we want to look for in a data packet Based upon a particular signature we can define appropriate action to take NIDS Network Intrusion Detection System This is an intrusion detection system that works for a network Usually a device (computer or a dedicated device) is placed at an appropriate location in the network to detect any intruder activity Rule Header The first part of each Snort rule It contains information about action, protocol, source and destination addresses, port numbers and direction Snort Configuration File The snort.conf file, which is the main configuration file for Snort It is read at the time when Snort starts Snort Rule 208 A way of conveying intruder signatures to Snort TOS Type of Service field used in IPv4 packet header Trust Levels Different levels of trust may be imposed in different trust zones For example, a financial database may be at a different trust level than a company public web server See also [Trust Zone] Trust Zone An area of your network where you apply the same security policy For example, all publicly accessible hosts (WWW and e-mail servers) may be placed in a demilitarized zone (DMZ) TTL Time to Live field used in IP packet header Appendix E SNML DTD This is the DTD file used for Snort XML based messages > 211 source IP address - IP address destination IP address - IP address version of ip - byte INT header length in 32 bit words - byte INT type of service - byte INT total length of the packet - byte INT identification - byte INT fragment flags - byte INT fragment offset - byte INT time to live - byte INT protocol - byte INT checksum - byte INT IP (192.168.1.2) IP (192.168.1.2) (0 - 15) (0 - 15) (0 - 255) (0 (0 (0 (0 (0 (0 (0 - 65535) 65535) 7) 65535) 255) 255) 65535) ((tcphdr|udphdr|icmphdr), option*)> CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA CDATA #REQUIRED #REQUIRED #REQUIRED #IMPLIED #IMPLIED #IMPLIED #IMPLIED #IMPLIED #IMPLIED #IMPLIED #IMPLIED #REQUIRED #IMPLIED 212 - byte INT (0 - 255) - byte INT (0 - 255) - 2 4 1 2 - 2 byte byte byte byte INT INT INT INT (0 (0 (0 (0 - 255) 65535) 65535) 65535) ]> 214 ... Configuring, Using, and Maintaining a Complete Programming Environment Rafeeq Ur Rehman, Christopher Paul Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and. .. is stored Using Apache web server (http://www.apache.org) and ACID, you can analyze this data A combination of Snort, Apache, MySQL, and ACID makes it possible to log the intrusion detection. .. chapter To stop Snort, use the following command: /etc/init.d/snortd stop To restart Snort, use this command: /etc/init.d/snortd restart 2.2.2 Installing Snort from Source Code To install Snort from